PCT 



WORLD WTELLBCTUAL PROPERTY ORGANIZATION 

International Bimau 



INTERNATIONAL APPUCATION PUBLISHED UN DER THE PATENT CXX)PERATION TREATY (PCT) 
(51) Intenmlfoiial Pltfent CSassificalifNi ^ : 



H04L 12/22, 9m 



Al 



(11) Internatioiial Publication Nnmba? 
(43) Internatioiial Publicatioii Date: 



WO 99/29066 

10 June 1999 (10.06.99) 



(21) Iht^vatioiial ApgHcatkm Nv 



PCT/US98/25579 



(22) Inlmiatioiial Filing Date: 3 December 1998 (03.1Z98) 



(30) Priority Data: 
08/984,608 



3 December 1997 (03.12.97) US 



(71) Applicant: RVTHSCHNOLOGIES, INC [US/US]; Suite 109, 

4485 Highway 29. Lilbum, GA 30047 (US). 

(72) Inventor: MANN, Steven, D.; 20 Hearthstone Drive, Stock- 

bridge, GA 30281 (US). 

(74) Agents: ROSENBERG, Sumner, C et al^ Needle & Rosenbwg. 
P.C^ 127 Pfcachtree Street, N.R, Atlanta, GA 30303 (US). 



(81) Designated States: AL, AM, AT, AU, AZ, BA, SB, BG, BR, 
BY, CA, CH, CN, C:U, (2, DE, DK, EE. ES, FI, GB, GD, 
GB. GH. GM, HR, HU, ID, BU IS, JP, KE, KG, KP. KR. 
KZ. IX; LK, LR, LS, LT, LU, LV, MD, MG, MK, MN, 
MW, MX, NO, NZ, PL, PT, RO, RU. SD, SE, SG, SI, SIC, 
SL, TF, TM, TR, TT, UA, UG, UZ. VN, YU. ZW, ARIPO 
patent (GH, GM, KE. LS. MW. SD, SZ, UG. ZW), Eurasian 
patent (AM, AZ. BY, KG, KZ. MD, RU. TJ. TM), European 
patent (AT. BE, CH, CY. DE, DK, ES. FI, FR, GB, GR, 
IE, IT, LU, MC NL. PT. SE), OAPI paHait (BP, BJ, CP. 
CG, a, OA, GA. GN, GW, ML, MR, NE, SN. TD, TG). 



Pubtisiied 

With hUemaiional search report 



(54) TMe: METHOD AND AH>ARATUS FOR ISOLAUNG AN ENCRYPTED COMPUTER SYSTEM UPON DFIECHION OF 
VIRUSES AND SIMILAR DATA vr 




(57) Abstract 

A mcdKxi and apparatus f«r isolating a data receiving entity (30) from a data sending entity (20) inchide a fiist data channel (22) 
coj^ to data «5nding entity (20), and a second data channel (32). coupled to the data receiving entity. A data enoyption chfe 
decrypts data received fit^ 

to^pare a plurality erf data won^ 
ffisc^ a control sigi^42)whCT 

An optical isolator (60) IS capable of isolatmg fl» fort data channel 



FOR THE FUttFOSSS OF INFORMATION ONLY 



Codes used to identify States paity to the PCT on tbe front pages of pamphlets publishing intnnatiooal {qvpUcations under the PCT. 



AL 


Albania 


BS 


Spain 


LS 


Lcsocbo 


SI 


Slovenia 


AM 


Armenia 


n 


Finland 


LT 


Lidmania 


SK 


Slovakia 


AT 


Austria 


FR 


riauoc 


LU 


Loxanboni^ 


SN 


Senega] 


AU 


AnslraBa 


GA 


Gabon 


LV 


Latvia 


sz 


Swaziland 


AZ 


Azccbujaii 


GB 


UniiBd Knusdom 


MC 


Monaco 


TD 


Chad 


BA 


BoBii> nd HcRc^pvina 


GE 


Geoigia 


MD 




TG 


ibso 


BB 


Baitados 

Bdjpuiu 


GH 


Qnna 


MG 


MmIh^iiic iif 


TJ 


Dfpkfalan 


BR 


GN 


Guinea 


MK 


fbe fbfipci' Yogoslav 


TM 




BF 


BuiUna Fbso 


GR 


Greece 




Rqioblic of Nboedonia 


TR 


Ttofcey 


BG 


Bulgaria 


HU 


Huiqa>y 


ML 


Mafi 


TT 


Trinidad and Tobago 


BJ 


Bcnb 


IE 


freland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


biBc) 


MR 


Mauritauia 


UG 


Uganda 


BY 


Bebim 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 




rr 


Italy 


MX 


Mexico 


HZ 


Uzbdcistan 


CF 


Genlral African RqaiUic 


JP 


J^ian 


NE 


Niger 


VN 


Viet Nam 


06 


Congo 


KB 


Kenya 


NL 


Ncdieflands 


YU 


Yogoslavia 


CH 


t*llllllB»«lll 1 

swuZEnaDfl 


KG 


Kyijyzstan 


NO 


Norway 


ZW 


2^babwe 


a 


Cfitc d*fvon6 


KP 


Democratic Rcoirfe'i 


NZ 


NewZeaHand 






CM 


C^BllttSDOO 




Riqpidilic of Koica 


PL 


ronno 






CM 


Qniia 


KR 




PT 


Fortogal 






cu 


Cuba 


KZ 




RO 


Romania 






cz 


Czedi RcfRibKc 


LC 




RU 


Russian ndrialiuii 






BE 


Gennany 


U 




SD 


Sudan 






DK 


Denmaric 


LK 


Sri Lanka 


SB 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Smeapore 







wo 99/29066 PCTAJS98/2S579 

METHOD AND APPARATUS FOR ISOLATING AN ENCRYPTED 
COMPUTER SYSTEM UPON DETECTION OF VIRUSES AND SIMILAR 

DATA 

5 CROSS-REFERENCE TO RELATED APPLICATION 

This is a continuation-in-part of my copending applications filed 
October 22, 1997, Serial No.: 08/955,912, the disclosure for which is 
incorporated herein by reference. 

10 

BACKGROUND OF THE INVENTION 

1. Field of the Invention: 

1 5 This invention relates to.computer systems. More particularly, this 

invention relates to a method and apparatus for isolating a cotiq)uter system 
iq>on detection of a virus and similar data. 

2. The Prior Art: 

20 

Recently, transmission of data viruses over the Internet has become a 
serious concern for Internet users. To reduce the concern, several methods are 
used to isolate computers fiom the Intmiet while the users are in local mode. 
However, when users of such methods are in a connected mode, they become 
25 prey to any virus that they may unwittingly download. 

Computer virus scanners are common and can be used to detect a virus 
once it is downloaded. However, such scanners cannot prevent the virus finom 
30 being downloaded. They can only aid in the identification of a virus once it 
has aheady infected the user's computer. 
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Data security involving data networks is also an important concern. 
Many systems encrypt data sent over a network. However, no existing 
systems provide both data encryption/decryption and virus detection, thereby 
ensuring coinplete data security for transmitted and received data. 

Nowhere does the prior art disclose a method or ^paratus for detecting 
a vims as it is being received from a network and isolating the user's computer 
from the Internet when an incoming virus is detected. 

SUMMARY OF THE INVENTION 

The above-noted disadvantages of the prior art are overcome by the 
present invention, which in one aspect is an apparatus for isolating a data 
receiving entity from a data sending entity. A first data channel is coupled to 
15 the data sending entity and a second data chaimel is coupled to the data 

receiving entity. A circuit facilitates encryption and decryption of the data 
being recieved firom and transmitted to the data sending entity. A processor is 
operationally coupled to the first data channel and detects a data virus received 
fit>m the first data channel. An isolation circuit that is responsive to the 
20 processor couples the first data channel to the second data channel when the 
processor does not detect a data virus and isolates the first data chaimel from 
the second data channel when the processor detects a data virus. 

In anoth^ a^ect, the invention includes a first data channel coupled to 
25 the data sending entity and a second data channel coupled to the data receiving 
entity. A data encryption chip is operationally coupled to the first data 
channel. A processor, operationally coupled to the data encryption chip and 
that is programmed to compare a plurality of data words received from the 
first data chaimel to at least one data word characteristic of a data virus asserts 
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a control signal when a data word received from the first data channel 
corresponds to a data word characteristic of a data virus. A memory, that is 
operationally coupled to the processor, stores at least one data word 
characteristic of a data virus. The memory presents to the processor at least 
one data word characteristic of a data virus and an input bufG^ stores data 
received by the processor from the first data channel. An optical isolator, 
coupled to the first data chaimel and the second data channel and having an 
enable signal input, is capable of isolating the first data channel from the 
second data channel when the enable signal ii^>ut is not asserted and is also 
c£q>able of placing the first data chaimel and the second data channel in optical 
communication with each other when the enable signal input is asserted. A 
controllable power supply that is responsive to the control signal from the 
processor is coupled to the enable signal input of the optical isolator. The 
power supply asserts the enable signal when the control signal is not asserted 
and does not assert the enable signal when the control signal is asserted, 
thereby causing the optical isolator to isolate the first data channel fix)m the 
second data channel. 

In yet anotfao: aspect, the invention is a method for isolating data 
receiving entity finom a data sending entity. When a data virus received Scorn 
the data smding entity is detected, the data sliding entity is isolated fix>m the 
data receiving entity. 

An advantage of the invention is that it prevents a data receiving entity, 
such as a computer, from receiving a virus firom a data sending mtity, such as 
a computer network. 
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A further advantage of the invention is that it isolates the data sending 
entity from the data receiving entity without disrupting normal operation of 
either entity. 

5 A further advantage of the invention is that it allows for encryption and 

decryption of communicated data. 

These and other advantages will become apparent from the following 
description of the prefenned embodiment taken in conjunction with the 
10 following drawings, although variations and modifications may be effected 
without departing from the spirit and scope of the novel concq;)ts of the 
disclosure. 

BRIEF DESCRIPTION OF THE FIGURES OF THE DRAWINGS 

15 

FIG. 1 is a simphfied schematic diagram of the invention. 

FIG. 2 is a detailed schematic diagram of the invention. 

20 FIG* 3 is a detailed schematic diagram of an embodiment of 

the invention that includes data encryption. 

DETAILED DESCRIPTION OF THE INVENTION 

25 A preferred embodiment of the invention is now described in detail. 

Referring to the drawings, like numbers indicate like parts throughout the 
views. As used in the description herein and throughout the claims that 
follow, "a," "an," and *the*' includes plural reference unless the context clearly 
dictates othoivise. Also, as used in the description herein and throughout the 
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claims that follow, the meaning of "in" includes "in" and "on" unless the 
context clearly dictates otherwise. 

As shown in FIG. 1, the apparatus 10 of the invention evaluates data 
5 received from a data sending entity 20, such as the bitemet, by a data 

receiving entity 30, such as a personal computer or even a local area network. 
The data is received via a iSrst data channel 22 coupled to the data sending 
entity 20 and a second data channel 32 coupled to the data receiving ^tity . A 
data comparitor 40 is operationally coiq)led to the first data channel 22 and is 
10 used to detect data viruses received fix^m the first data chaimel 22. When a 
virus is detected, a data isolator 60, that is responsive to a control signal 42 
firom the data comparator 40, isolates the first data channel 22 fix>m the second 
data channel 32. Thus, viruses are detected and prevented firom being received 
by the data receiving entity 30. 

15 

As shown in FIG. 2, the ^paratus 10 of one preferred embodiment of 
the invention intar&ces with a peripheral control inter&ce (PCJ) 12 of a data 
receiving entity 30, such as a personal computer, to provide isolation fit>m a 
data sending entity 20, such as the Litemet The data sending entity 20 is 
20 connected to an iiq>ut interface 24, such as a standard PBX interface, via a first 
data channel 22. The data stream received by the input inter&ce 24 is 
d^odulated using a demodulator circuit 26 so as to conform to the data 
format of the data receiving mtity 30. 

25 The data stream is then fed into the data comparator 40. In the 

compantor circuit 40, a UART chip 46 formats the incoming serial data into 
parallel data words and a processor 44, such as a PCI host controUer, using an 
asynchronous transfer mode segmentation and reassembly, compares the 
parallel data with known virus signatures stored in a m^oiy 48, such as an 
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EEPROM. The processor 44, which is controlled by a control memory 50, 
buffers data from the UART chip 46 in a memory chip 52 as it awaits virus 
scanning analysis. 

5 After the processor 44 has analyzed an incoming word, it is then sent 

to the data isolator 60 for eventual transfer to the data receiving entity 30. The 
data isolator 60 comprises an optical isolator 62 that is driven by a power 
enable signal 66 received firom a power supply conditioning ISO drive 64. 
The power supply conditioning ISO drive 64 receives power from a power up 

1 0 control logic circuit 54 which receives power fiom a power line 74 in the PCI 
bus 12. 

If no virus is foimd, the data stream is transferred through the optical 
isolator 62 to a modulation level shifting circuit 68, that conditions the data for 
1 5 receipt by the data receiving entity 30, to a modem interface 34. The modem 
inter&ce 34 provides protocol matching to the input interface 24 and sends the 
data to the data receiving entity 30. 

When a virus is detected in the incoming data stream, a control line 42 
20 fiom the processor 44 causes the power vp control logic circuit 54 to cause the 
power supply conditioning ISO drive 64 to cut off power to the optical isolator 
62, thereby causing the optical isolator 62 to prevent passage of data 
therethrough. A modem standby circuit 36 then takes over and simulates 
protocol exchanges with the input inter&ce 24, thereby preventing an 
25 abnormal disconnect 

During power-up, the processor 40 runs the system through a self 
checking routine. If any system abnormalities are detected, an interrupt Une 
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70 is asserted. The interrupt line 70 passes through an optical isolator 14 to 
ensure unidirectional data transmission to the PCI bus 12. 

The power up control logic circuit 54 also performs a self check, a 
5 battery reference 56 is compared to the value on the incoming power line 74 

■ 

from the PCI bus 12, and if the system is improperly powered, an interrupt line ' 
72 is asserted. The interrupt line 72 is also passed through an optical isolator 
16 that ensures that the interrupt line 72 is unidirectional to the PCI bus 12. 

10 As shown in FIG. 3, an embodiment of the invention 100 that encludes 

data encryption/decryption includes a data cipher processor 180 to 
encrypt/decrypt communicated data. The cipher processor 180 could be a 
TUNDRA CA95C68, or other encryption chip. In flris embodiment, data is 
received from the network by a network interface 122, which would be a 

15 standard RJ45 connection, or similar network inter&ce. A data format chip 
146 formats the data for the cipher processor 180, which provides decrypted 
data to the screening environment processor 144. The screening environment 
processor 144, which provides virus detection, could conq^rise a digital signal 
processing (DSP) chip, such as an ADSP-2181 and is serviced by a memory 

20 150. A micro-<x>ntn>ller 134 is provided to control the data processing 
elements in the invention 100, sends control information to the host 
computer's PCI bus 112 and initiates communication handshalnng The 
screening environment processor 144 provides a control signal to an opto- 
isolator bank 162, which isolates the host personal computer 130 from the 

25 network interface 122 upon detection of a virus. 

Data from the opto-isolator bank 162 is conditioned by a network 
interface card 132 to make it suitable for the personal computer 130. An opto 
drive 164 conditions power to the opto-isolator bank 162. 
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A power-up conditioner 154 taps power from the PCI bus 1 12 and 
provides power to the opto-drive 164. The power-up conditioner 154 also 
sends status signals to the PCI bus 112 though a pair of opto-isolators 114, 116 
used to maintain unidirectional data transfer. A battery reference 156 provides 
5 the power-up conditioner 154 with a voltage reference, to facihtate self 
checking functions. 

The above described onbodiment is given as an illustrative example 
only. It will be readily sqppredated that many deviations may be made from 
10 the specific embodiment disclosed in this specification without departing fix>m 
the invention. Accordingly, the scope of the invention is to be determined by 
the claims below rather than being limited to the specifically described 
embodimmt above. 



wo 99/29066 PCTA)S98aSS79 



CLAIMS 

What is claimed is: 

1. An apparatus for isolating data receiving entity from a data sending 
entity, comprising: 

a. a first data chaimel, coupled to the data sending entity; 

b. a second data channel, coupled to the data receiving entity; 

c. means, operatidnally coupled to the first data channel, for 
detecting a data vims received fiom the first data channel; 

d. means, responsive to the detecting means, for coupling the first 
data channel to die second data channel when the detecting 
means does not detect a data virus and for isolating the first 
data channel fit>m the second data channel when the detecting 
means detects a data virus; and . 

e. means for decrypting data received fix>m the first data channel 
and for encrypting data transmitted to first data channel. 

2. An apparatus for isolating data receiving entity fii^m a data sending 
entity, comprising: 

a. a first data channel, coupled to the data sending entity; 

b. a second data channel, coupled to the data receiving entity; 

c. means, operatively coiq>led to the first data channel and to the 
second data channel, for deoypting data received firom die first 
data channel and for encrypting data transmitted to first data 
channel; 

d means for comparing a plurality of data words received &om 
the first data channel to at least one data word charactsistic of 
a data virus and for assarting a control signal when a data word 
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received from ttie first data channel coiresponds to a data word 
characteristic of a data virus; and 
e. means, coupled to the first data channel and the second data 
channel and operationally coupled to the control signal, for 
isolating the first data channel bom the second data channel 
when the control signal is asserted and for placing the first data 
channel and the second data channel in optical communication 
when the control signal is not asserted. 

3. The apparatus of Claim 2, wherein the comparing means comprises: 

a. . a processor; and 

b. means for presenting to the processor at least one data word 
characteristic of a data virus. 

4. The apparatus of Claim 2, wherein the decrypting and encrypting 
means comprises a data encryption chip. 

5. The q)paratus of Claim 3, whmin the processor comprises a screening 
enviomment processor. 

6. The apparatus of Claim 3» wherein the presenting means comprises a 
memoiy, operationally coiq;>led to the processor, that stores at least one 
data word characteristic of a data virus. 

7. The apparatus of Claim 3, fiuther comprising an input bufifer tiiat 
stores data received by the processor 

8. The apparatus of Claim 2, wherein data on the first data chaimel is 
transmitted in a serial format and wherein the apparatus further 
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conq>rises means for convertmg segmeats of serial data received from 
the first data channel to data in a parallel format. 

9. The apparatus of Claim 2, wherein the isolating means comprises an 
optical isolator. 

10. The apparatus of Claim 8, further comprising a controllable power 
supply responsive to the control signal from the comparing means, the 
power supply generating an enable signal when the control signal is 
not asserted, wherein the optical isolator is powered by the enable 
signal so that when the optical isolator receives power from the enable 
signal, the first data channel and the second data channel are in optical 
conmiunication with each other. 

1 1. An apparatus for isolating data receiving entity &om a data sending 
entity, conq>rising: 

a. a first data channel, coiq)led to the data sending entity; 

b. a second data channel, coupled to the data receiving entity; 

c. a data encryption chip, operatively coupled to the first data 
channel and to the second data channel, for decrypting data 
received &om the first data channel and for encrypting data 
transmitted to first data channel; 

d. a processor that is programmed to compare a plurality of data 
words received from the first data chaimel to at least one data 
word characteristic of a data virus and to assert a control signal 
when a data word received from the first data chaimel 
corresponds to a data word characteristic of a data virus; 

e. a memory, operationally coupled to the processor, that stores at 
least one data word characteristic of a data virus that presents to 
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the processor at least one data word characteristic of a data 

m 

virus; 

f. an input buffer that stores data received by the processor from 
the jBrst data channel; 

g. an optical isolator, coupled to the first data channel and the 
second data channel and having an enable signal input, that is 
Citable of isolating the first data channel finom the second data 
channel when the eansble signal input is not asserted and is 
enable of placing the first data diannel and the second data 
channel in optical communication with each other when the 
enable signal input is asserted; and 

h. a controllable power supply responsive to the control signal 
fit>m the processor and coupled to the enable signal input of ttie 
optical isolator, die power supply asserting the enable signal 
when the control signal is not asserted and the power siq)ply 
not asserting the enable signal when the control signal is 
asserted, thereby causing the optical isolator to isolstf e the first 
data channel firom the second data channel. 

12- The apparatus of Claim 1 0, wherein the processor comprises a PCI 
host controller. 

* 

13. The apparatus of Claim 10, wherein data on the first data channel is 
transmitted in a serial format and wherein the ^iparatus further 
conq>rises means for converting segments of serial data received from 
the first data chaimel to data in a parallel format 

14. A method for isolating data receiving entity firom a data sending entity, 
comprising: 
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detecting a data vims received fiom the data sending entity; 
isolating the data sending entity from tiie data receiving entity 
iq>on detecting a data virus received fiom the data sending 
entity; 

decrypting data received from the data sending entity by the 
data receiving entity; and 

enorypting data sent from the data receiving entity to the data 
sending entity. 
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